Components Used

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

The information related to Microsoft certificate services is provided as a guide specifically for Cisco Bring Your Own Device (BYOD). Refer to Microsoft's TechNet as the definitive source of truth for Microsoft certification authority, Network Device Enrollment Service (NDES), and SCEP related server configurations.

Background Information

In a BYOD deployment, one of the core components is a Microsoft 2008 R2 Enterprise server that has the NDES role installed. This server is a member of the Active Directory (AD) forest. During the initial installation of NDES, Microsoft's IIS web server is automatically installed and configured to support HTTP termination of SCEP. In some BYOD deployments, customers might want to further secure the communications between ISE and NDES using HTTPS. This procedure details the steps required to request and install a Secure Socket Layer (SSL) certificate for the SCEP website.

Configure

NDES Server Certificate Configuration

Note: You must configure a new certificate for IIS ( only required when IIS is integrated with a 3rd party PKI such as Verisign or when the Certification Authority (CA) and NDES server roles are separated onto separate servers). In the install, if the NDES role is on an current Microsoft CA server, IIS uses the server identity certificate created during the CA setup. For standalone configurations such as this, skip directly to the NDES Server IIS Binding Configuration section in this document.